When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a set of filtering libraries to help you accomplish this.

+

{{Notice|In Joomla! 2.5 {{JVer|2.5}} and newer, <code>JRequest</code> has been superseded by <code>JInput</code>. See [[Retrieving request data using JInput]].}}

+

+

When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a filtering library to help you accomplish this.

+

+

You can access the filtered request data using the <code>JRequest</code> class. Even though PHP allows you to access the data from the request using the superglobal arrays <code>$_GET</code>, <code>$_POST</code> and <code>$_REQUEST</code>, it is highly recommended to use <code>JRequest</code> '''instead of''' these superglobals. By using <code>JRequest</code> properly, you make sure that the data has the right format and its default value makes sense. This can prevent serious security holes such as SQL injection vulnerabilities.

===Defined in===

===Defined in===

Line 83:

Line 87:

* [[JURI]]

* [[JURI]]

* [[JRoute]]

* [[JRoute]]

−

−

==Security==

−

−

Why not just use the Superglobals? If you are familiar with PHP already you may be wondering, why not just use $_GET / $_POST / $_REQUEST? To make Joomla more secure, all global variables should be read through this function. It removes the possibility for code injection and/or SQL injection. You can also define a default value (as you can see in line 6). Copied and changed from [[Creating a simple component - Part 1]].

−

[[Category:Development]]

[[Category:Development]]

Revision as of 14:23, 3 February 2013

This Namespace has been archived - Please Do Not Edit or Create Pages in this namespace. Pages contain information for a Joomla! version which is no longer supported. It exists only as a historical reference, will not be improved and its content may be incomplete.

When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a filtering library to help you accomplish this.

You can access the filtered request data using the JRequest class. Even though PHP allows you to access the data from the request using the superglobal arrays $_GET, $_POST and $_REQUEST, it is highly recommended to use JRequestinstead of these superglobals. By using JRequest properly, you make sure that the data has the right format and its default value makes sense. This can prevent serious security holes such as SQL injection vulnerabilities.

Frequently, you will expect your variable to be found in a specific portion of the HTTP request (POST, GET, etc...). If this is the case, you should specify which portion; this will slightly increase your extension's security. If you expect 'address' to only be in POST, use this code to enforce that:

JREQUEST_ALLOWHTML - allows most HTML. If this is not passed in, HTML is stripped out by default.

Note. These are static variables not strings. Do not use quotes around them

'get'

To receive a whole array filtered. If you would want to get the POST data, you can use this.

JRequest::get('post')

This returns the standard POST array. You can use it on a template page if needed, or in the models section if convenient. It returns the most recent POST. Methods of this object were not found in the Framework section where one would expect to find them.